infra: Salt-manage k3s unit file with maxPods=250 #332

New issue

Closed

opened 2026-05-05 01:24:03 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-05-05 01:24:03 +00:00

Contributor

Copy link

Type

Feature

Lineage

Standalone — discovered during westside-admin-dev overlay setup (2026-05-04). Node hit 110 pod ceiling, fixed live, needs codification.

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want the k3s maxPods limit codified in Salt
So that it survives reprovisioning and is auditable as infrastructure-as-code

Context

archbox hit the default kubelet maxPods: 110 ceiling with 125 pods running (38 Tailscale proxies alone). The limit was raised to 250 via direct edit to /etc/systemd/system/k3s.service on 2026-05-04. Currently salt/states/k3s/init.sls only verifies the binary exists and service is running — it explicitly does NOT manage the unit file. This ticket changes that by templating the unit file through Salt with configurable kubelet args via pillar.

File Targets

Files to modify or create:

• salt/states/k3s/init.sls — convert from verify-only to managed unit file
• salt/states/k3s/k3s.service.j2 — new Jinja2 template for the systemd unit
• salt/pillar/k3s.sls — new pillar file with k3s config values
• salt/pillar/top.sls — include new k3s pillar

Files NOT to touch:

• terraform/ — this is Salt-layer (system config), not Terraform-layer (k8s resources)

Acceptance Criteria

• k3s Salt state templates the systemd unit file via file.managed
• --kubelet-arg=max-pods=250 rendered in ExecStart args
• max-pods value driven by pillar:k3s:kubelet:max_pods
• service.running watches the unit file (auto-restart on change)
• Template matches current live state (no unintended drift on first apply)

Test Expectations

• salt-call state.show_sls k3s renders without errors
• salt-call state.apply k3s test=True shows no changes (matches live state)
• Run command: sudo salt-call state.apply k3s test=True

Constraints

• Template must match the current live /etc/systemd/system/k3s.service exactly (including --disable=traefik)
• Use cmd.run for systemctl daemon-reload triggered by unit file changes
• Follow existing Salt patterns in this repo (see salt/states/firewall/init.sls for template+service pattern)

Checklist

• PR opened
• salt-call state.apply k3s test=True shows no diff
• No unrelated changes

Related

• project-pal-e-platform — platform infrastructure

### Type Feature ### Lineage Standalone — discovered during westside-admin-dev overlay setup (2026-05-04). Node hit 110 pod ceiling, fixed live, needs codification. ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want the k3s maxPods limit codified in Salt So that it survives reprovisioning and is auditable as infrastructure-as-code ### Context archbox hit the default kubelet `maxPods: 110` ceiling with 125 pods running (38 Tailscale proxies alone). The limit was raised to 250 via direct edit to `/etc/systemd/system/k3s.service` on 2026-05-04. Currently `salt/states/k3s/init.sls` only verifies the binary exists and service is running — it explicitly does NOT manage the unit file. This ticket changes that by templating the unit file through Salt with configurable kubelet args via pillar. ### File Targets Files to modify or create: - `salt/states/k3s/init.sls` — convert from verify-only to managed unit file - `salt/states/k3s/k3s.service.j2` — new Jinja2 template for the systemd unit - `salt/pillar/k3s.sls` — new pillar file with k3s config values - `salt/pillar/top.sls` — include new k3s pillar Files NOT to touch: - `terraform/` — this is Salt-layer (system config), not Terraform-layer (k8s resources) ### Acceptance Criteria - [ ] k3s Salt state templates the systemd unit file via `file.managed` - [ ] `--kubelet-arg=max-pods=250` rendered in ExecStart args - [ ] max-pods value driven by `pillar:k3s:kubelet:max_pods` - [ ] `service.running` watches the unit file (auto-restart on change) - [ ] Template matches current live state (no unintended drift on first apply) ### Test Expectations - [ ] `salt-call state.show_sls k3s` renders without errors - [ ] `salt-call state.apply k3s test=True` shows no changes (matches live state) - Run command: `sudo salt-call state.apply k3s test=True` ### Constraints - Template must match the current live `/etc/systemd/system/k3s.service` exactly (including `--disable=traefik`) - Use `cmd.run` for `systemctl daemon-reload` triggered by unit file changes - Follow existing Salt patterns in this repo (see `salt/states/firewall/init.sls` for template+service pattern) ### Checklist - [ ] PR opened - [ ] `salt-call state.apply k3s test=True` shows no diff - [ ] No unrelated changes ### Related - `project-pal-e-platform` — platform infrastructure

forgejo_admin referenced this issue from a commit 2026-05-05 01:26:18 +00:00

infra(salt): manage k3s unit file with maxPods=250 (#332)

forgejo_admin referenced this issue from a pull request that will close it, 2026-05-05 01:26:48 +00:00

infra(salt): manage k3s unit file with maxPods=250 #333

forgejo_admin referenced this issue 2026-05-05 01:28:33 +00:00

infra(salt): manage k3s unit file with maxPods=250 #333

forgejo_admin added the

status:needs-fix

label 2026-05-05 01:28:34 +00:00

forgejo_admin referenced this issue from a commit 2026-05-05 01:30:13 +00:00

infra(salt): manage k3s unit file with maxPods=250 (#332)

forgejo_admin referenced this issue from a pull request that will close it, 2026-05-05 01:51:43 +00:00

infra(salt): manage k3s unit file with maxPods=250 #333

forgejo_admin added

status:approved

and removed

status:needs-fix

labels 2026-05-05 01:51:44 +00:00

forgejo_admin closed this issue 2026-05-09 16:34:24 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix-gem-bin-path

netpol-westside-ror

fix-woodpecker-multi-pipeline

345-harbor-mobile-css

290-payment-pipeline-observability

spec-board-centric-renderer

284-fix-add-pal-e-docs-namespace-to-postgres

284-add-pal-e-docs-postgres-netpol

188-cross-repo-worktree-isolation-for-parall

111-fix-keycloak-probe

86-fix-rotate-woodpecker-api-token-in-salt

71-feat-deploy-pyrra-slo-manager-with-servi

64-hotfix-woodpecker-oauth-login-broken-for

18-fix-grafana-duplicate-default-datasource-v2

18-fix-grafana-duplicate-default-datasource

13-fix-cnpg-all-parameters

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/pal-e-platform#332

No description provided.